The popular instant messaging and VoIP platform Discord had a vulnerability in its desktop app that was open to remote code execution (RCE) attacks. First revealed by bug bounty hunter Masato Kinugawa, the RCE could be exploited to take over the victim's computer.
Kinugawa first detected the vulnerability a few months ago and reported it via the Discord's bug bounty program. In the detailed description in his blog, he said the vulnerability was a combination of multiple bugs — missing contextIsolation, XSS in iframe embeds and navigation restriction bypass.
The main culprit for the bugs was Electron, an open-source software framework that helps in creating cross-platform apps using CSS, JavaScript and HTML. Discord's desktop messaging app isn't open source but it has JavaScript code that Electron used. The codes are saved locally.
Security Flaws
In Discord's desktop app, that was built on Electron, one setting, "contextIsolation" was marked as false or disabled. It allowed external JavaScript code to alter internal code like Node.js. According to ZDNet, the feature was designed to allow separate contexts for web pages and JavaScript.
"This behavior is dangerous because Electron allows the JavaScript code outside web pages to use the Node.js features regardless [of] the nodeIntegration option and by interfering with them from the function overridden in the web page, it could be possible to achieve RCE even if the nodeIntegration is set to false," Kinugawa said in his blog post.
He added that when he tried to find a way to execute JavaScript on the Electron app, he found a cross-site scripting (XSS) flaw in the iframe. It is used to embed a video that can be displayed in a chat or webpage. "When the URL is posted, Discord tries to get the OGP information of that URL and if there is the OGP information, it displays the page's title, description, thumbnail image, associated video and so on in the chat," he explained.
Two More Bugs
When the Japanese cybersecurity researcher checked the domains in the iframe, he found Sketchfab which enables 3D content viewing on web pages. While Sketchfab could be embedded in the iframe, he found a DOM (Document Object Model) based XSS vulnerability in the embed page that could be abused.
The two combined allowed Kinugawa to execute JavaScript in the iframe but he still didn't have the capability to execute a full RCE. But upon further investigation, he discovered a third bug, navigation restriction bypass, in Electron. Combining three bugs, he was able to perform an RCE attack on Discord's desktop app.
After reporting, Discord patched the security flaws. "The contextIsolation was enabled. Now even if I could execute arbitrary JavaScript on the app, RCE does not occur via the overridden JavaScript built-in methods," Kinugawa said. He received $5,000 from Discord's bug bounty program and $300 from Sketchfab. However, Discord didn't reveal if the vulnerabilities were exploited and if any user was compromised.